Take a look at GitHub - sabeechen/hassio-google-drive-backup: Automatically create and sync Home Assistant backups into Google Drive, they have a web UI that allows authenticating Google Drive. Maybe a similar approach could be used here?
Ideally, there should be a way to open a specific URL from the addon, but for now, maybe this will work.
thanks a lot @Misiu. Looking at that solution, they are using an always-running frontend for setting up the backup. To do that, you also have to specify the URL of the add-on when defining it in the add-on config. Since I do not have any sort of frontend and this URL only needs to be called initially to authenticate, I do not think this is a better approach then currently where you have to manually copy the URL from the logs.
Nevertheless, your input is very much appreciated and maybe we’ll find a way to produce someting like a pop-up or a new tab.
@poudenes I just release the new version 0.1.6. This includes the described flag as a config option.
Please have a look at the documentation for further information. Since I am not using NPM and only tested some simple websites via multiple docker containers, I would be happy to get feedback from you on the set-up and the performance.
What i will do is build a test HA on a different RPi4 and add some add-ons.
Then i will use one of my domains to change name servers to Cloudflare and then do some tests.
I have a busy period so it wont be in a day that you get some feedback
Test this add-on on a a test RPi with HAOS 6.6
Have installed Nextcloud, Joplin Server, Bitwarden and Nginx Proxy Manager.
All addons are accessible from outside now without opening ports in router!
Even the HA App (iOS and Android) is working!!!
Great job!
@brenner-tobias Thank you! I set this up last night, something recently happened and I was getting error 522 on all my cloudflare CNAME’s back through my internal network. I implemented your add-on (and replaced my NGINX VM with NPM add-on). Things are working great.
…except I am struggling on how to handle clicking on the link to open NPM (port 81), it eventually times out. Not sure where the breakdown is happening. I read up above about creating a subdomain and then going that route…doable but want to understand what might be happening. Any suggestions?
I am happy the add-on works for you. A couple of things regarding the NPM UI.
The Add-On is not using Ingress (see here and here). That means, that the “Open Web UI” button is basically taking your current connection URL, strips the ending of it, adds the port of the UI (in our case 81) and opens a new tab with that URL.
Now if you are connected via your external URL (e.g. home.example.com), this means that the link it is opening is “home.example.com:81”. This external URL will then hit the Cloudflared Proxy, which does not forward the port 81 to your home assistant instance, since it only forwards certain ports. This is a good thing: We do not want any other port to be exposed to the internet then the ones we defined. So the link does not work.
What does work is visiting NPM locally. You can do this by either connecting to HA using the local link in your network (e.g. http://192.168.1.10:8123) and clicking on the UI Button of NPM, or directly changing your HA link to the correct one to NPM (in our case http://192.168.1.10:81).
Now from my perspective this behaviour is fine, since you do not really want to expose the NPM UI to the internet in the first place and do not have to visit it that often.
Nevertheless, if you do, there is the possibility that you also mentioned to create a subdomain (e.g. npm.example.com) in Cloudflare and then add a forward in your NPM to your local NPM address, following the documentation of the add-on. This would still mean that the UI Button in the Add-On would not work, but you would have another subdomain that is externally available to open the NPM UI.
Additionally, we could theoretically fork the NPM add-on and change the way it behaves, moving from a separate website to Ingress to open NPM in HomeAssistant directly (the way the file editor and some other add-ons are working already). Probably @frenck had his reasons for not doing that and again I do not really see the need to be able to open NPM from everywhere. I might look into that though just because I have never done an ingress config at an add-on.
Let me know if you managed to access NPM and what you think of my thoughts!
Best
Tobias
Thank you for the quick response. Now I understand, you make a great point on “how often you need to use NPM from external”. I went ahead and created a sub-domain and used the iframe_panel to create a link to make it easier to get to the UI just so I can find it when I need it. Much appreciated and look for any new creations you are working on.
Might need to fork NPM just to get a black theme.
That’s great to hear, glad everything works for you. I do recommend though to reconsider exposing the NPM UI directly with a subdomain. In your set-up, the only thing, that stands between an intruder and your complete internal reverse proxy settings is a very simple login page, which is not up-to-date and does not include 2FA.
If you really need to keep it and see no other way at all, I would at least add it as a Cloudflare Access Application (see here for a simple tutorial). This is also free and that way, at least you do have another layer of security by using your GitHub or Google login for example, both incl. 2FA.
Let me know if you have any other problems or if there is anything else I can help you with.
Edit: You could also change the iframe Panel to the internal URL. That way, it would always work if you are in your internal network but not, if you are not. If this would be sufficient, there would be no need for external access.
If you do not own a domain name, read here how to get one for free:
I have my HA domain.
Did you enter this in Cloudflare page?
Yes I did.
Then I think its something with Cloudflare and not the add-on.
Definitely an issue with Cloudflare+Freenom, so not related to the add-on (but potentially to my article on how to get a domain for free to use with the add-on…).
@lpt2007 I will send you a PM so we can try to figure out what’s happening there.
First, thank you for a plugin. I like what I see.
Second, sorry for the complete noob question. I googled, but can’t find an answer.
Installation instruction was very clear and easy until from Cloudflare I got the message: “Copy the certificate to your home directory or manually configure Argo Tunnel with the path to the certificate using the --origincert option.”
I’m using “Samba share” add-on, but can’t paste certificate to the root folder (“Operation not supported”). Can you please write an instruction how to overcome that? I suspect, that I’m not the only one.
Thank you!
I am glad you like the add-on (even though it is not working for you right now…).
I am not sure at which point you encounter this request from Cloudflare, so please provide more information on that.
If you set-up the add-on in HomeAssistant, you have to configure a hostname (a subdomain of your domain name) and a tunnel name (whatever you want). If you then start the add-on, it will show you a link in the log are that you have to copy+paste into your webbrowser. This is used to authenticate at Cloudflare. By doing that, it automatically creates the certificate and stores it where it needs to be. After that, the add-on will do everything else in the background (creating the tunnel, creating the DNS entry and starting the tunnel) and you should be good to go.
Don’t forget to add the http:...
are to your HomeAssistant though to tell HA to answer request from the add-on as described in the config as well.
Kindly let me know if this solves your problem.
Thank you very much for an answer!
This went smoothly, without problem and the instructions on the add-on page were very detailed and helpful. (Thank you one more time, really good job of describing how to install).
When Cloudflare creates certificate, it initiates a download of cert.pem file (I downloaded it to my computer) and in a pop-up writes an instruction:
“Upload your Argo Tunnel certificate
Your browser has downloaded the certificate required to configure the cloudflared client on your machine.
Copy the certificate to your home directory or manually configure Argo Tunnel with the path to the certificate using the --origincert option.”
The later part of Cloudflare’s instruction “Copy the certificate to your home directory or manually configure Argo Tunnel with the path to the certificate using the --origincert option” is a showstopper for me, because I don’t know a simple (read: suited for non-programmers) way how to copy the downloaded cert.pem file to my RPi’s root. Can’t do it with Samba share add-on (“Operation not supported”), the command line I can use only with detailed instruction. So, the question is how and where to past the cert.pem file in my RPi.
This is strange. Normally, Cloudflare will authenticate and then show you a pop-up stating that you can go back to your application. The add-on will automatically get the certificate and store it in your HA instance.
What is the status of your add-on in HomeAssistant after the download of the cert.pam file? Is it stuck and still showing the authenticate link?
So to clarify: There is no need for a manual step. If you have to manually upload the certificate, there was something wrong in the process to begin with.